This commit is contained in:
knoflook 2022-06-17 14:20:51 +02:00
commit f035a3bed7
Signed by: knoflook
GPG Key ID: D6A1D0E8FC4FEF1C
8 changed files with 102 additions and 0 deletions

15
LICENSE Normal file
View File

@ -0,0 +1,15 @@
autonomic.expire-users: expire system user accounts
Copyright (C) 2022 Autonomic Co-operative <helo@autonomic.zone>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.

3
README.md Normal file
View File

@ -0,0 +1,3 @@
# autonomic.expire-users
[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/autonomic.expire-users/status.svg?ref=refs/heads/main)](https://drone.autonomic.zone/autonomic-cooperative/autonomic.expire-users)

6
handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Restart SSH
become: true
service:
name: ssh
state: restarted

View File

@ -0,0 +1,2 @@
install_date: Fri Jun 17 11:35:23 2022
version: 0.1.1

14
meta/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
dependencies: []
galaxy_info:
role_name: expire
namespace: autonomic
author: autonomic
description: Disable (not remove) system user accounts)
company: Autonomic
license: GPLv3
min_ansible_version: 2.9
platforms:
- name: Debian
versions:
- buster

4
requirements.txt Normal file
View File

@ -0,0 +1,4 @@
ansible-lint==6.0.0
ansible==5.4.0
molecule-hetznercloud==1.3.0
molecule==3.6.1

18
tasks/main.yml Normal file
View File

@ -0,0 +1,18 @@
---
- name: Ensure mandatory variables are configured
assert:
that: "{{ item }} is defined"
fail_msg: "You must define the '{{ item }}' variable"
with_items:
- add_users_user_accounts
- name: Include resource variables
include_vars: "{{ add_users_user_accounts }}"
tags:
# Note(d1): we already load in converge.yml so skip here
- molecule-notest
# Note(d1): Done in this way because https://stackoverflow.com/a/39041069
- name: Include user addition tasks
include: users.yml user={{ item }}
with_items: "{{ members }}"

40
tasks/users.yml Normal file
View File

@ -0,0 +1,40 @@
---
- name: "Expire an existing user account"
block:
- name: Show which user account is being handled
debug:
msg: "Attempting to expire account for {{ user.username }}..."
- name: Check if the user accounts already exists
getent:
database: passwd
key: "{{ user.username }}"
register: user_exists
ignore_errors: true
- name: Expire the account and blank the password
user:
name: "{{ user.username }}"
expires: 0
password: '!'
when: user_exists is succeeded
- name: Remove user's .ssh/authorized_keys file
file:
path: "/home/{{ user.username }}/.ssh/authorized_keys"
state: absent
- name: Remove password store entry
become: false
delegate_to: localhost
command: "pass rm -r users/{{ user.username }}/sudo/ {{ item.email }}"
when: user_exists is succeeded
#TODO: - name: "Remove username from the SSH AllowUsers configuration"
# replace:
# backup: true
# dest: /etc/ssh/sshd_config
# regexp: '^(AllowUsers(?!.*\b{{ user.username }}\b).*)$' # this is copied from autonomic.add-users, not correct
# replace: '\1 {{ user.username }}' # this is also in need of change
# notify: Restart SSH